Detection Engineering Weekly #34 - Another Minecraft vuln?!
don't panic. don't panic. don't panic.
Welcome to Issue #34 of Detection Engineering Weekly!
This week’s recap:
2 post 💎 by David French on building a detection-as-code pipeline with open-source and freemium tools
TrustedSec’s Shane Hartman on Prefetch files for DFIR, leveraging osquery on MacOS for XProtect by Chris Long, LOLDrivers 2.0 by Michael Haag.. the list goes on and on!
Ivanti joins the ranks of CISA KEV, Conti and Akira are eerily similar, Krebs unearths SocksEscort, and a Minecraft vuln
Plus so much more!
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
From soup to nuts: Building a Detection-as-Code pipeline Part 1 and
From soup to nuts: Building a Detection-as-Code pipeline Part 2 by David French
This week's gem contains a ton of content, and I couldn't leave out this 1-2 punch by French. If you want a full-fledged detection-as-code pipeline tutorial, then look no further! French explores building a lab for writing detections and scaling them using Terraform (infrastructure-and-detections-as-code), Sumo Logic (SIEM), and Tines (SOAR/low to no-code automation).
Once you boot the pipeline up, Part 2 focuses heavily on CI/CD workflows to test your detections. I love that French's assumption here is that detection rules, by design, have false negatives and tend to drift. When you have 10 to focus on, you can do this manually. But what happens when you 10x or 100x your rules? Without automation, your people spend most of their time on manual review and curation. This lab helps solve that issue by regularly testing these integrations and rules and creating GitHub issues when some drift is detected.
State of the Art
Prefetch: The Little Snitch That Tells on You by Shane Hartman
Prefetch files are a capability in Windows that helps optimize system performance through pre-loading resources from disk. Turns out, these files are helpful for incident response, malware analysis, and detection engineering. Hartman reviews what these file types are, how Windows formats them, and what you can use them when you deep-dive an incident on an infected system.
No keys attached: Exploring GitHub-to-AWS keyless authentication flaws by Christophe Tafani-Dereeper
**Note, my employer is Datadog**
I am super excited to see this finally go live! Christophe has been on a tear releasing blogs, open-source tools, and talks here at Datadog. Why not add a vulnerability disclosure to the mix? After researching misconfigured OIDC implementations in GitHub, Christophe tested this for AWS roles and found multiple organizations were susceptible to an AWS account takeover. He found one pipeline owned by the UK Government's AWS account, and they were fantastic in their response.
Anomaly detection in certificate-based TGT requests by Alexander Rodchenko
This is a fantastic introductory post to Kerberos authentication in Active Directory and common methods adversaries use to forge certificates, such as DCSync. These authentication schemes are messy, and although Windows implements the cryptographic operations correctly, it assumes a non-compromised device :). The best part of Rodchenko's post is looking at how to look for artifacts related to a DCSync attack via the EVT log.
Leveraging osquery to examine the XProtect Behavioral Service DB by Chris Long
Following DPRK Week here at Detection Engineering Weekly (is that a thing yet? Can I make it a thing?), it's good to see follow-up posts like Long's from details released on Mandiant's blog. If you still need to read Mandiant's post, take a minute and return to this one. They specifically call out how valuable XProtect was for their investigation:
During the investigation, Mandiant observed the threat actor target four (4) OSX Ventura systems running either versions 13.3 or 13.4.1. During the forensic analysis of these systems, Mandiant identified a relatively new forensic artifact that proved extremely valuable to the investigation.
This forensic artifact is related to Apple’s XProtect services, specifically, the XProtect Behavioral Service.
Long takes the analysis of XProtect a bit further and shows how to leverage this capability for analysis at scale with osquery.
Analyzing and visualizing cyberattacks using Attack Flow by Lennart Erikson
If you ever read public reports on attacks, you likely want to model the full attack chain to see if you have coverage over your MITRE ATT&CK maps. And if you DID do that, it might not look appealing for people to read. Luckily, there's a tool released by MITRE Engenuity called "Attack Flow" that helps defenders build these chains for visualization and coverage requirements. Erikson applies this tool to the SIEM detection space, which is much easier to read!
Threat hunting Pivoting via SMB Named Pipe by Tho Le
I love tradecraft posts that highlight the red and blue-team side of the compromise equation. Le sets up a scenario where an adversary gains initial access to an Internet-facing host, and the attackers try to pivot laterally to non-Internet-facing hosts using SMB named pipes. Once the attacker installs a named pipe implant, Le moves to detection opportunities. The best part? They start with a hypothesis!
LOLDrivers 2.0: Pioneering Progress by Michael Haag
Massive update to the LOLDrivers project by Haag & team. Everything from automatic Yara rule generation of new drivers, the addition of 750+ drivers, and enrichment with CVE data makes this project more versatile than ever. Congrats to the LOLDrivers team!
Detection Engineering Zero to Hero by Anthony Isherwood
I love seeing Detection Engineering educational resources come to life; this one is accessible for a beginner or an expert. The current discount code has it for $15 USD for 6 hours of content, whereas professional courses can cost you thousands. Isherwood covers theory, lab setup, building a SIEM, and emulating several attack scenarios. He also has the same course on TCM Academy here, if you have a subscription on that platform.
Detection Engineering on Social Media
Link: https://twitter.com/sherrod_im/status/1684673467134685184
Link: https://twitter.com/Cyb3rMonk/status/1685035846095843328
Detection Engineering Podcasts
Trying something new here and adding podcast episodes related to Detection Engineering. If you haven’t checked out InfoSec Sidekick, please give it a listen and subscribe!
Threat Landscape
CISA Adds One Known Exploited Vulnerability to Catalog by CISA
Ivanti released CVE-2023-35078 last week, and this week CISA confirms in the wild exploitation. Hold on to your butts!
Conti and Akira: Chained Together by Steven Campbell, Akshay Suthar, Connor Belfiore
If a ransomware group falls in a forest, and there's no one around to hear it, do they make a sound? The real question is: do they call it quits and get out of the game much like Jay-Z did? This answer is probably not. In this post, Arctic Wolf deep dives into the new Akira group and how it shares similar Bitcoin payment infrastructure and TTPs as Conti.
CISA Analysis: Fiscal Year 2022 Risk and Vulnerability Assessments by CISA
In this report, CISA basically surveys several critical infrastructure operators and state, local, tribal, and territorial governments to assess their strengths against potential threats. Think of it as a purple team exercise for the US government and critical infrastructure. The TL;DR is that most successful attacks carried out were using common methods, such as default credentials, and the same vulnerabilities kept showing up during their assessments repeatedly.
Who and What is Behind the Malware Proxy Service SocksEscort? by Brian Krebs
Investigative report by Krebs that unearths the SocksEscort service behind the AVRecon botnet. AVRecon targeted SOHO routers, infected them with malware, and "joined" them to the SocksEscort service for people to use to route traffic through. Lumen could not determine how the routers were infected. However, they commented that operators build these botnets by abusing default or weak credentials or exploiting unpatched security vulnerabilities that never get patched.
VirusTotal Malware Trends Report: Emerging Formats and Delivery Techniques by Vicente Díaz
VirusTotal released their trends report that hopefully shouldn't surprise readers of this newsletter, as many of the critical findings align with the threat landscape stories I've posted for the last six months. But it's super interesting to see some of the telemetry they collect and use for this type of reporting. For example, ISO images are a reliable malware delivery payload, and OneNote skyrocketed first half of this year as a great alternative to PDFs and Excel sheets with embedded macros.
Bleeding Pipe: A RCE vulnerability exploited in the wild by MMPA
The video game community exploit, and malware development continues to amaze me and be way ahead of criminals, nation-states, and hell, even researchers! BleedingPipe is an unsafe deserialization vulnerability found in Minecraft mods, resulting in remote code execution for both clients AND servers. I hope the vulnerability stays in Minecraft and doesn't bleed out like Log4shell.
Open Source
webpalm by malwarize
Golang based recursive link crawler for target websites. This would be fun for pentesters and vulnerability researchers, but I get excited about tools like this for threat actor sites to hunt for misconfigurations and OSINT.
saas-attack by pushsecurity
SaaS-first "ATT&CK" matrix by push security. I love this approach because detection and response teams face SaaS sprawl and, even worse audit-log sprawl. By modeling your coverage onto a matrix like this, you can build compensating controls if the audit-logs are bad (check out Audit Logs Wall of Shame to see some anti-patterns).
PurpleKeep by Retrospected
PurpleKeep “..serves as an End-to-End Detection Rule Validation platform tailored for an Azure-based environment”. Pretty amazing work by Retrospected here - by combining Atomic Red Team and some devops magic, you can get an attack simulation platform soup to nuts.
BucketLoot by redhuntlabs
BucketLoot is an S3-compatible cloud storage scanner focused on speed. Redhunt Labs has a corresponding blog post showcasing the tool, and they'll present it at BlackHat Arsenal.